From 6fbff9d8da5f697bf20dd4e9a07fb83463ecd15b Mon Sep 17 00:00:00 2001 From: Florian Smeets Date: Sat, 14 Dec 2013 23:30:36 +0000 Subject: [PATCH] Update to 5.3.28 Security: 47b4e713-6513-11e3-868f-0025905a4771 --- databases/php53-interbase/Makefile | 1 - databases/php53-pdo_firebird/Makefile | 1 - ftp/php53-curl/Makefile | 1 - lang/php53/Makefile | 2 +- lang/php53/distinfo | 4 +- lang/php53/files/patch-ext_openssl_openssl.c | 111 ------------------- security/php53-openssl/Makefile | 2 - security/vuxml/vuln.xml | 47 ++++++++ 8 files changed, 50 insertions(+), 119 deletions(-) delete mode 100644 lang/php53/files/patch-ext_openssl_openssl.c diff --git a/databases/php53-interbase/Makefile b/databases/php53-interbase/Makefile index 6cc54195ec29..4f41c0fe5dbe 100644 --- a/databases/php53-interbase/Makefile +++ b/databases/php53-interbase/Makefile @@ -1,6 +1,5 @@ # $FreeBSD$ -PORTREVISION= 1 CATEGORIES= databases MASTERDIR= ${.CURDIR}/../../lang/php53 diff --git a/databases/php53-pdo_firebird/Makefile b/databases/php53-pdo_firebird/Makefile index d8851f1c5b02..fa681efb884f 100644 --- a/databases/php53-pdo_firebird/Makefile +++ b/databases/php53-pdo_firebird/Makefile @@ -1,6 +1,5 @@ # $FreeBSD$ -PORTREVISION= 2 CATEGORIES= databases MASTERDIR= ${.CURDIR}/../../lang/php53 diff --git a/ftp/php53-curl/Makefile b/ftp/php53-curl/Makefile index d8cbe3473eed..1080752fdc0e 100644 --- a/ftp/php53-curl/Makefile +++ b/ftp/php53-curl/Makefile @@ -1,7 +1,6 @@ # $FreeBSD$ CATEGORIES= ftp -PORTREVISION= 1 MASTERDIR= ${.CURDIR}/../../lang/php53 diff --git a/lang/php53/Makefile b/lang/php53/Makefile index 9df1f44f3735..0dd20a33bc85 100644 --- a/lang/php53/Makefile +++ b/lang/php53/Makefile @@ -2,7 +2,7 @@ # $FreeBSD$ PORTNAME= php53 -PORTVERSION= 5.3.27 +PORTVERSION= 5.3.28 PORTREVISION?= 0 CATEGORIES?= lang devel www MASTER_SITES= ${MASTER_SITE_PHP} diff --git a/lang/php53/distinfo b/lang/php53/distinfo index 7553bb335aef..1e890c26fe13 100644 --- a/lang/php53/distinfo +++ b/lang/php53/distinfo @@ -1,5 +1,5 @@ -SHA256 (php-5.3.27.tar.bz2) = e12db21c623b82a2244c4dd9b06bb75af20868c1b748a105a6829a5acc36b287 -SIZE (php-5.3.27.tar.bz2) = 11432791 +SHA256 (php-5.3.28.tar.bz2) = 0cac960c651c4fbb3d21cf2f2b279a06e21948fb35a0d1439b97296cac1d8513 +SIZE (php-5.3.28.tar.bz2) = 11051714 SHA256 (suhosin-patch-5.3.x-0.9.10.4.patch.gz) = 694f81a68120df89589d20262389b25431f8f2485b81da7519ffbf39edef14fd SIZE (suhosin-patch-5.3.x-0.9.10.4.patch.gz) = 40805 SHA256 (php-5.3.x-mail-header.patch) = 5a677448b32d9f592703e2323a33facdb45e5c237dcca04aaea8ec3287f7db84 diff --git a/lang/php53/files/patch-ext_openssl_openssl.c b/lang/php53/files/patch-ext_openssl_openssl.c deleted file mode 100644 index 9d22fc0ca236..000000000000 --- a/lang/php53/files/patch-ext_openssl_openssl.c +++ /dev/null @@ -1,111 +0,0 @@ -diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c -index d7ac117..c32748c 100644 ---- ext/openssl/openssl.c -+++ ext/openssl/openssl.c -@@ -1398,6 +1398,74 @@ PHP_FUNCTION(openssl_x509_check_private_key) - } - /* }}} */ - -+/* Special handling of subjectAltName, see CVE-2013-4073 -+ * Christian Heimes -+ */ -+ -+static int openssl_x509v3_subjectAltName(BIO *bio, X509_EXTENSION *extension) -+{ -+ GENERAL_NAMES *names; -+ const X509V3_EXT_METHOD *method = NULL; -+ long i, length, num; -+ const unsigned char *p; -+ -+ method = X509V3_EXT_get(extension); -+ if (method == NULL) { -+ return -1; -+ } -+ -+ p = extension->value->data; -+ length = extension->value->length; -+ if (method->it) { -+ names = (GENERAL_NAMES*)(ASN1_item_d2i(NULL, &p, length, -+ ASN1_ITEM_ptr(method->it))); -+ } else { -+ names = (GENERAL_NAMES*)(method->d2i(NULL, &p, length)); -+ } -+ if (names == NULL) { -+ return -1; -+ } -+ -+ num = sk_GENERAL_NAME_num(names); -+ for (i = 0; i < num; i++) { -+ GENERAL_NAME *name; -+ ASN1_STRING *as; -+ name = sk_GENERAL_NAME_value(names, i); -+ switch (name->type) { -+ case GEN_EMAIL: -+ BIO_puts(bio, "email:"); -+ as = name->d.rfc822Name; -+ BIO_write(bio, ASN1_STRING_data(as), -+ ASN1_STRING_length(as)); -+ break; -+ case GEN_DNS: -+ BIO_puts(bio, "DNS:"); -+ as = name->d.dNSName; -+ BIO_write(bio, ASN1_STRING_data(as), -+ ASN1_STRING_length(as)); -+ break; -+ case GEN_URI: -+ BIO_puts(bio, "URI:"); -+ as = name->d.uniformResourceIdentifier; -+ BIO_write(bio, ASN1_STRING_data(as), -+ ASN1_STRING_length(as)); -+ break; -+ default: -+ /* use builtin print for GEN_OTHERNAME, GEN_X400, -+ * GEN_EDIPARTY, GEN_DIRNAME, GEN_IPADD and GEN_RID -+ */ -+ GENERAL_NAME_print(bio, name); -+ } -+ /* trailing ', ' except for last element */ -+ if (i < (num - 1)) { -+ BIO_puts(bio, ", "); -+ } -+ } -+ sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free); -+ -+ return 0; -+} -+ - /* {{{ proto array openssl_x509_parse(mixed x509 [, bool shortnames=true]) - Returns an array of the fields/values of the CERT */ - PHP_FUNCTION(openssl_x509_parse) -@@ -1494,15 +1562,29 @@ PHP_FUNCTION(openssl_x509_parse) - - - for (i = 0; i < X509_get_ext_count(cert); i++) { -+ int nid; - extension = X509_get_ext(cert, i); -- if (OBJ_obj2nid(X509_EXTENSION_get_object(extension)) != NID_undef) { -+ nid = OBJ_obj2nid(X509_EXTENSION_get_object(extension)); -+ if (nid != NID_undef) { - extname = (char *)OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(extension))); - } else { - OBJ_obj2txt(buf, sizeof(buf)-1, X509_EXTENSION_get_object(extension), 1); - extname = buf; - } - bio_out = BIO_new(BIO_s_mem()); -- if (X509V3_EXT_print(bio_out, extension, 0, 0)) { -+ if (nid == NID_subject_alt_name) { -+ if (openssl_x509v3_subjectAltName(bio_out, extension) == 0) { -+ add_assoc_stringl(subitem, extname, bio_buf->data, bio_buf->length, 1); -+ } else { -+ zval_dtor(return_value); -+ if (certresource == -1 && cert) { -+ X509_free(cert); -+ } -+ BIO_free(bio_out); -+ RETURN_FALSE; -+ } -+ } -+ else if (X509V3_EXT_print(bio_out, extension, 0, 0)) { - BIO_get_mem_ptr(bio_out, &bio_buf); - add_assoc_stringl(subitem, extname, bio_buf->data, bio_buf->length, 1); - } else { diff --git a/security/php53-openssl/Makefile b/security/php53-openssl/Makefile index 40154ad54d24..b8a2edc12541 100644 --- a/security/php53-openssl/Makefile +++ b/security/php53-openssl/Makefile @@ -1,7 +1,5 @@ # $FreeBSD$ -PORTREVISION= 1 - CATEGORIES= security MASTERDIR= ${.CURDIR}/../../lang/php53 diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 6e3a33094a7b..f541f0f15c1a 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -51,6 +51,53 @@ Note: Please add new entries to the beginning of this file. --> + + PHP5 -- memory corruption in openssl_x509_parse() + + + php5 + 5.4.05.4.23 + + + php53 + 5.3.28 + + + php55 + 5.5.05.5.7 + + + + +

Stefan Esser reports:

+
+

The PHP function openssl_x509_parse() uses a helper function + called asn1_time_to_time_t() to convert timestamps from ASN1 + string format into integer timestamp values. The parser within + this helper function is not binary safe and can therefore be + tricked to write up to five NUL bytes outside of an allocated + buffer.

+

This problem can be triggered by x509 certificates that contain + NUL bytes in their notBefore and notAfter timestamp fields and + leads to a memory corruption that might result in arbitrary + code execution.

+

Depending on how openssl_x509_parse() is used within a PHP + application the attack requires either a malicious cert signed + by a compromised/malicious CA or can be carried out with a + self-signed cert.

+
+ + + + CVE-2013-6420 + https://www.sektioneins.de/advisories/advisory-012013-php-openssl_x509_parse-memory-corruption-vulnerability.html + + + 2013-12-13 + 2013-12-14 + + + mozilla -- multiple vulnerabilities